github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/moby/profiles/seccomp/default_linux.go (about)

     1  // +build seccomp
     2  
     3  package seccomp // import "github.com/docker/docker/profiles/seccomp"
     4  
     5  import (
     6  	"github.com/opencontainers/runtime-spec/specs-go"
     7  	"golang.org/x/sys/unix"
     8  )
     9  
    10  func arches() []Architecture {
    11  	return []Architecture{
    12  		{
    13  			Arch:      specs.ArchX86_64,
    14  			SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32},
    15  		},
    16  		{
    17  			Arch:      specs.ArchAARCH64,
    18  			SubArches: []specs.Arch{specs.ArchARM},
    19  		},
    20  		{
    21  			Arch:      specs.ArchMIPS64,
    22  			SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32},
    23  		},
    24  		{
    25  			Arch:      specs.ArchMIPS64N32,
    26  			SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64},
    27  		},
    28  		{
    29  			Arch:      specs.ArchMIPSEL64,
    30  			SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32},
    31  		},
    32  		{
    33  			Arch:      specs.ArchMIPSEL64N32,
    34  			SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64},
    35  		},
    36  		{
    37  			Arch:      specs.ArchS390X,
    38  			SubArches: []specs.Arch{specs.ArchS390},
    39  		},
    40  	}
    41  }
    42  
    43  // DefaultProfile defines the allowed syscalls for the default seccomp profile.
    44  func DefaultProfile() *Seccomp {
    45  	syscalls := []*Syscall{
    46  		{
    47  			Names: []string{
    48  				"accept",
    49  				"accept4",
    50  				"access",
    51  				"adjtimex",
    52  				"alarm",
    53  				"bind",
    54  				"brk",
    55  				"capget",
    56  				"capset",
    57  				"chdir",
    58  				"chmod",
    59  				"chown",
    60  				"chown32",
    61  				"clock_adjtime",
    62  				"clock_adjtime64",
    63  				"clock_getres",
    64  				"clock_getres_time64",
    65  				"clock_gettime",
    66  				"clock_gettime64",
    67  				"clock_nanosleep",
    68  				"clock_nanosleep_time64",
    69  				"close",
    70  				"connect",
    71  				"copy_file_range",
    72  				"creat",
    73  				"dup",
    74  				"dup2",
    75  				"dup3",
    76  				"epoll_create",
    77  				"epoll_create1",
    78  				"epoll_ctl",
    79  				"epoll_ctl_old",
    80  				"epoll_pwait",
    81  				"epoll_wait",
    82  				"epoll_wait_old",
    83  				"eventfd",
    84  				"eventfd2",
    85  				"execve",
    86  				"execveat",
    87  				"exit",
    88  				"exit_group",
    89  				"faccessat",
    90  				"faccessat2",
    91  				"fadvise64",
    92  				"fadvise64_64",
    93  				"fallocate",
    94  				"fanotify_mark",
    95  				"fchdir",
    96  				"fchmod",
    97  				"fchmodat",
    98  				"fchown",
    99  				"fchown32",
   100  				"fchownat",
   101  				"fcntl",
   102  				"fcntl64",
   103  				"fdatasync",
   104  				"fgetxattr",
   105  				"flistxattr",
   106  				"flock",
   107  				"fork",
   108  				"fremovexattr",
   109  				"fsetxattr",
   110  				"fstat",
   111  				"fstat64",
   112  				"fstatat64",
   113  				"fstatfs",
   114  				"fstatfs64",
   115  				"fsync",
   116  				"ftruncate",
   117  				"ftruncate64",
   118  				"futex",
   119  				"futex_time64",
   120  				"futimesat",
   121  				"getcpu",
   122  				"getcwd",
   123  				"getdents",
   124  				"getdents64",
   125  				"getegid",
   126  				"getegid32",
   127  				"geteuid",
   128  				"geteuid32",
   129  				"getgid",
   130  				"getgid32",
   131  				"getgroups",
   132  				"getgroups32",
   133  				"getitimer",
   134  				"getpeername",
   135  				"getpgid",
   136  				"getpgrp",
   137  				"getpid",
   138  				"getppid",
   139  				"getpriority",
   140  				"getrandom",
   141  				"getresgid",
   142  				"getresgid32",
   143  				"getresuid",
   144  				"getresuid32",
   145  				"getrlimit",
   146  				"get_robust_list",
   147  				"getrusage",
   148  				"getsid",
   149  				"getsockname",
   150  				"getsockopt",
   151  				"get_thread_area",
   152  				"gettid",
   153  				"gettimeofday",
   154  				"getuid",
   155  				"getuid32",
   156  				"getxattr",
   157  				"inotify_add_watch",
   158  				"inotify_init",
   159  				"inotify_init1",
   160  				"inotify_rm_watch",
   161  				"io_cancel",
   162  				"ioctl",
   163  				"io_destroy",
   164  				"io_getevents",
   165  				"io_pgetevents",
   166  				"io_pgetevents_time64",
   167  				"ioprio_get",
   168  				"ioprio_set",
   169  				"io_setup",
   170  				"io_submit",
   171  				"io_uring_enter",
   172  				"io_uring_register",
   173  				"io_uring_setup",
   174  				"ipc",
   175  				"kill",
   176  				"lchown",
   177  				"lchown32",
   178  				"lgetxattr",
   179  				"link",
   180  				"linkat",
   181  				"listen",
   182  				"listxattr",
   183  				"llistxattr",
   184  				"_llseek",
   185  				"lremovexattr",
   186  				"lseek",
   187  				"lsetxattr",
   188  				"lstat",
   189  				"lstat64",
   190  				"madvise",
   191  				"membarrier",
   192  				"memfd_create",
   193  				"mincore",
   194  				"mkdir",
   195  				"mkdirat",
   196  				"mknod",
   197  				"mknodat",
   198  				"mlock",
   199  				"mlock2",
   200  				"mlockall",
   201  				"mmap",
   202  				"mmap2",
   203  				"mprotect",
   204  				"mq_getsetattr",
   205  				"mq_notify",
   206  				"mq_open",
   207  				"mq_timedreceive",
   208  				"mq_timedreceive_time64",
   209  				"mq_timedsend",
   210  				"mq_timedsend_time64",
   211  				"mq_unlink",
   212  				"mremap",
   213  				"msgctl",
   214  				"msgget",
   215  				"msgrcv",
   216  				"msgsnd",
   217  				"msync",
   218  				"munlock",
   219  				"munlockall",
   220  				"munmap",
   221  				"nanosleep",
   222  				"newfstatat",
   223  				"_newselect",
   224  				"open",
   225  				"openat",
   226  				"openat2",
   227  				"pause",
   228  				"pidfd_open",
   229  				"pidfd_send_signal",
   230  				"pipe",
   231  				"pipe2",
   232  				"poll",
   233  				"ppoll",
   234  				"ppoll_time64",
   235  				"prctl",
   236  				"pread64",
   237  				"preadv",
   238  				"preadv2",
   239  				"prlimit64",
   240  				"pselect6",
   241  				"pselect6_time64",
   242  				"pwrite64",
   243  				"pwritev",
   244  				"pwritev2",
   245  				"read",
   246  				"readahead",
   247  				"readlink",
   248  				"readlinkat",
   249  				"readv",
   250  				"recv",
   251  				"recvfrom",
   252  				"recvmmsg",
   253  				"recvmmsg_time64",
   254  				"recvmsg",
   255  				"remap_file_pages",
   256  				"removexattr",
   257  				"rename",
   258  				"renameat",
   259  				"renameat2",
   260  				"restart_syscall",
   261  				"rmdir",
   262  				"rseq",
   263  				"rt_sigaction",
   264  				"rt_sigpending",
   265  				"rt_sigprocmask",
   266  				"rt_sigqueueinfo",
   267  				"rt_sigreturn",
   268  				"rt_sigsuspend",
   269  				"rt_sigtimedwait",
   270  				"rt_sigtimedwait_time64",
   271  				"rt_tgsigqueueinfo",
   272  				"sched_getaffinity",
   273  				"sched_getattr",
   274  				"sched_getparam",
   275  				"sched_get_priority_max",
   276  				"sched_get_priority_min",
   277  				"sched_getscheduler",
   278  				"sched_rr_get_interval",
   279  				"sched_rr_get_interval_time64",
   280  				"sched_setaffinity",
   281  				"sched_setattr",
   282  				"sched_setparam",
   283  				"sched_setscheduler",
   284  				"sched_yield",
   285  				"seccomp",
   286  				"select",
   287  				"semctl",
   288  				"semget",
   289  				"semop",
   290  				"semtimedop",
   291  				"semtimedop_time64",
   292  				"send",
   293  				"sendfile",
   294  				"sendfile64",
   295  				"sendmmsg",
   296  				"sendmsg",
   297  				"sendto",
   298  				"setfsgid",
   299  				"setfsgid32",
   300  				"setfsuid",
   301  				"setfsuid32",
   302  				"setgid",
   303  				"setgid32",
   304  				"setgroups",
   305  				"setgroups32",
   306  				"setitimer",
   307  				"setpgid",
   308  				"setpriority",
   309  				"setregid",
   310  				"setregid32",
   311  				"setresgid",
   312  				"setresgid32",
   313  				"setresuid",
   314  				"setresuid32",
   315  				"setreuid",
   316  				"setreuid32",
   317  				"setrlimit",
   318  				"set_robust_list",
   319  				"setsid",
   320  				"setsockopt",
   321  				"set_thread_area",
   322  				"set_tid_address",
   323  				"setuid",
   324  				"setuid32",
   325  				"setxattr",
   326  				"shmat",
   327  				"shmctl",
   328  				"shmdt",
   329  				"shmget",
   330  				"shutdown",
   331  				"sigaltstack",
   332  				"signalfd",
   333  				"signalfd4",
   334  				"sigprocmask",
   335  				"sigreturn",
   336  				"socket",
   337  				"socketcall",
   338  				"socketpair",
   339  				"splice",
   340  				"stat",
   341  				"stat64",
   342  				"statfs",
   343  				"statfs64",
   344  				"statx",
   345  				"symlink",
   346  				"symlinkat",
   347  				"sync",
   348  				"sync_file_range",
   349  				"syncfs",
   350  				"sysinfo",
   351  				"tee",
   352  				"tgkill",
   353  				"time",
   354  				"timer_create",
   355  				"timer_delete",
   356  				"timer_getoverrun",
   357  				"timer_gettime",
   358  				"timer_gettime64",
   359  				"timer_settime",
   360  				"timer_settime64",
   361  				"timerfd_create",
   362  				"timerfd_gettime",
   363  				"timerfd_gettime64",
   364  				"timerfd_settime",
   365  				"timerfd_settime64",
   366  				"times",
   367  				"tkill",
   368  				"truncate",
   369  				"truncate64",
   370  				"ugetrlimit",
   371  				"umask",
   372  				"uname",
   373  				"unlink",
   374  				"unlinkat",
   375  				"utime",
   376  				"utimensat",
   377  				"utimensat_time64",
   378  				"utimes",
   379  				"vfork",
   380  				"vmsplice",
   381  				"wait4",
   382  				"waitid",
   383  				"waitpid",
   384  				"write",
   385  				"writev",
   386  			},
   387  			Action: specs.ActAllow,
   388  			Args:   []*specs.LinuxSeccompArg{},
   389  		},
   390  		{
   391  			Names:  []string{"ptrace"},
   392  			Action: specs.ActAllow,
   393  			Includes: Filter{
   394  				MinKernel: &KernelVersion{4, 8},
   395  			},
   396  		},
   397  		{
   398  			Names:  []string{"personality"},
   399  			Action: specs.ActAllow,
   400  			Args: []*specs.LinuxSeccompArg{
   401  				{
   402  					Index: 0,
   403  					Value: 0x0,
   404  					Op:    specs.OpEqualTo,
   405  				},
   406  			},
   407  		},
   408  		{
   409  			Names:  []string{"personality"},
   410  			Action: specs.ActAllow,
   411  			Args: []*specs.LinuxSeccompArg{
   412  				{
   413  					Index: 0,
   414  					Value: 0x0008,
   415  					Op:    specs.OpEqualTo,
   416  				},
   417  			},
   418  		},
   419  		{
   420  			Names:  []string{"personality"},
   421  			Action: specs.ActAllow,
   422  			Args: []*specs.LinuxSeccompArg{
   423  				{
   424  					Index: 0,
   425  					Value: 0x20000,
   426  					Op:    specs.OpEqualTo,
   427  				},
   428  			},
   429  		},
   430  		{
   431  			Names:  []string{"personality"},
   432  			Action: specs.ActAllow,
   433  			Args: []*specs.LinuxSeccompArg{
   434  				{
   435  					Index: 0,
   436  					Value: 0x20008,
   437  					Op:    specs.OpEqualTo,
   438  				},
   439  			},
   440  		},
   441  		{
   442  			Names:  []string{"personality"},
   443  			Action: specs.ActAllow,
   444  			Args: []*specs.LinuxSeccompArg{
   445  				{
   446  					Index: 0,
   447  					Value: 0xffffffff,
   448  					Op:    specs.OpEqualTo,
   449  				},
   450  			},
   451  		},
   452  		{
   453  			Names: []string{
   454  				"sync_file_range2",
   455  			},
   456  			Action: specs.ActAllow,
   457  			Args:   []*specs.LinuxSeccompArg{},
   458  			Includes: Filter{
   459  				Arches: []string{"ppc64le"},
   460  			},
   461  		},
   462  		{
   463  			Names: []string{
   464  				"arm_fadvise64_64",
   465  				"arm_sync_file_range",
   466  				"sync_file_range2",
   467  				"breakpoint",
   468  				"cacheflush",
   469  				"set_tls",
   470  			},
   471  			Action: specs.ActAllow,
   472  			Args:   []*specs.LinuxSeccompArg{},
   473  			Includes: Filter{
   474  				Arches: []string{"arm", "arm64"},
   475  			},
   476  		},
   477  		{
   478  			Names: []string{
   479  				"arch_prctl",
   480  			},
   481  			Action: specs.ActAllow,
   482  			Args:   []*specs.LinuxSeccompArg{},
   483  			Includes: Filter{
   484  				Arches: []string{"amd64", "x32"},
   485  			},
   486  		},
   487  		{
   488  			Names: []string{
   489  				"modify_ldt",
   490  			},
   491  			Action: specs.ActAllow,
   492  			Args:   []*specs.LinuxSeccompArg{},
   493  			Includes: Filter{
   494  				Arches: []string{"amd64", "x32", "x86"},
   495  			},
   496  		},
   497  		{
   498  			Names: []string{
   499  				"s390_pci_mmio_read",
   500  				"s390_pci_mmio_write",
   501  				"s390_runtime_instr",
   502  			},
   503  			Action: specs.ActAllow,
   504  			Args:   []*specs.LinuxSeccompArg{},
   505  			Includes: Filter{
   506  				Arches: []string{"s390", "s390x"},
   507  			},
   508  		},
   509  		{
   510  			Names: []string{
   511  				"open_by_handle_at",
   512  			},
   513  			Action: specs.ActAllow,
   514  			Args:   []*specs.LinuxSeccompArg{},
   515  			Includes: Filter{
   516  				Caps: []string{"CAP_DAC_READ_SEARCH"},
   517  			},
   518  		},
   519  		{
   520  			Names: []string{
   521  				"bpf",
   522  				"clone",
   523  				"fanotify_init",
   524  				"lookup_dcookie",
   525  				"mount",
   526  				"name_to_handle_at",
   527  				"perf_event_open",
   528  				"quotactl",
   529  				"setdomainname",
   530  				"sethostname",
   531  				"setns",
   532  				"syslog",
   533  				"umount",
   534  				"umount2",
   535  				"unshare",
   536  			},
   537  			Action: specs.ActAllow,
   538  			Args:   []*specs.LinuxSeccompArg{},
   539  			Includes: Filter{
   540  				Caps: []string{"CAP_SYS_ADMIN"},
   541  			},
   542  		},
   543  		{
   544  			Names: []string{
   545  				"clone",
   546  			},
   547  			Action: specs.ActAllow,
   548  			Args: []*specs.LinuxSeccompArg{
   549  				{
   550  					Index:    0,
   551  					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
   552  					ValueTwo: 0,
   553  					Op:       specs.OpMaskedEqual,
   554  				},
   555  			},
   556  			Excludes: Filter{
   557  				Caps:   []string{"CAP_SYS_ADMIN"},
   558  				Arches: []string{"s390", "s390x"},
   559  			},
   560  		},
   561  		{
   562  			Names: []string{
   563  				"clone",
   564  			},
   565  			Action: specs.ActAllow,
   566  			Args: []*specs.LinuxSeccompArg{
   567  				{
   568  					Index:    1,
   569  					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP,
   570  					ValueTwo: 0,
   571  					Op:       specs.OpMaskedEqual,
   572  				},
   573  			},
   574  			Comment: "s390 parameter ordering for clone is different",
   575  			Includes: Filter{
   576  				Arches: []string{"s390", "s390x"},
   577  			},
   578  			Excludes: Filter{
   579  				Caps: []string{"CAP_SYS_ADMIN"},
   580  			},
   581  		},
   582  		{
   583  			Names: []string{
   584  				"reboot",
   585  			},
   586  			Action: specs.ActAllow,
   587  			Args:   []*specs.LinuxSeccompArg{},
   588  			Includes: Filter{
   589  				Caps: []string{"CAP_SYS_BOOT"},
   590  			},
   591  		},
   592  		{
   593  			Names: []string{
   594  				"chroot",
   595  			},
   596  			Action: specs.ActAllow,
   597  			Args:   []*specs.LinuxSeccompArg{},
   598  			Includes: Filter{
   599  				Caps: []string{"CAP_SYS_CHROOT"},
   600  			},
   601  		},
   602  		{
   603  			Names: []string{
   604  				"delete_module",
   605  				"init_module",
   606  				"finit_module",
   607  			},
   608  			Action: specs.ActAllow,
   609  			Args:   []*specs.LinuxSeccompArg{},
   610  			Includes: Filter{
   611  				Caps: []string{"CAP_SYS_MODULE"},
   612  			},
   613  		},
   614  		{
   615  			Names: []string{
   616  				"acct",
   617  			},
   618  			Action: specs.ActAllow,
   619  			Args:   []*specs.LinuxSeccompArg{},
   620  			Includes: Filter{
   621  				Caps: []string{"CAP_SYS_PACCT"},
   622  			},
   623  		},
   624  		{
   625  			Names: []string{
   626  				"kcmp",
   627  				"pidfd_getfd",
   628  				"process_vm_readv",
   629  				"process_vm_writev",
   630  				"ptrace",
   631  			},
   632  			Action: specs.ActAllow,
   633  			Args:   []*specs.LinuxSeccompArg{},
   634  			Includes: Filter{
   635  				Caps: []string{"CAP_SYS_PTRACE"},
   636  			},
   637  		},
   638  		{
   639  			Names: []string{
   640  				"iopl",
   641  				"ioperm",
   642  			},
   643  			Action: specs.ActAllow,
   644  			Args:   []*specs.LinuxSeccompArg{},
   645  			Includes: Filter{
   646  				Caps: []string{"CAP_SYS_RAWIO"},
   647  			},
   648  		},
   649  		{
   650  			Names: []string{
   651  				"settimeofday",
   652  				"stime",
   653  				"clock_settime",
   654  			},
   655  			Action: specs.ActAllow,
   656  			Args:   []*specs.LinuxSeccompArg{},
   657  			Includes: Filter{
   658  				Caps: []string{"CAP_SYS_TIME"},
   659  			},
   660  		},
   661  		{
   662  			Names: []string{
   663  				"vhangup",
   664  			},
   665  			Action: specs.ActAllow,
   666  			Args:   []*specs.LinuxSeccompArg{},
   667  			Includes: Filter{
   668  				Caps: []string{"CAP_SYS_TTY_CONFIG"},
   669  			},
   670  		},
   671  		{
   672  			Names: []string{
   673  				"get_mempolicy",
   674  				"mbind",
   675  				"set_mempolicy",
   676  			},
   677  			Action: specs.ActAllow,
   678  			Args:   []*specs.LinuxSeccompArg{},
   679  			Includes: Filter{
   680  				Caps: []string{"CAP_SYS_NICE"},
   681  			},
   682  		},
   683  		{
   684  			Names: []string{
   685  				"syslog",
   686  			},
   687  			Action: specs.ActAllow,
   688  			Args:   []*specs.LinuxSeccompArg{},
   689  			Includes: Filter{
   690  				Caps: []string{"CAP_SYSLOG"},
   691  			},
   692  		},
   693  	}
   694  
   695  	return &Seccomp{
   696  		DefaultAction: specs.ActErrno,
   697  		ArchMap:       arches(),
   698  		Syscalls:      syscalls,
   699  	}
   700  }